mycpen

Mycpen

记录学习历程与受益知识
github
telegram
bilibili
HomeArchives

18_Linux Basics - User Permissions 3

#Linux#权限13
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
This article discusses Linux user permissions and basic groups. It provides examples of creating users with specified basic and supplementary groups, as well as modifying user information. It also explains the concept of effective groups and demonstrates how to temporarily change the effective group. The article concludes with two exercises, one involving setting permissions for a directory to allow only specific users and groups to access, delete, and create files, and the other involving a script for creating, deleting, and modifying users.

1. Review: Configuration Files Generally Located in /etc Under the Root Directory#

Configuration files are generally located in /etc under the root directory.

A user can only have one primary group, but can have multiple supplementary groups; the permissions enjoyed are the same, as they are based on the permissions of that group.

Example
---------------------------------------------------------------------------------------------------------------------------------
[root@sanchuang-linux ~]# useradd sanle10
[root@sanchuang-linux ~]# id sanle10
uid=2224(sanle10) gid=2224(sanle10) groups=2224(sanle10)
[root@sanchuang-linux ~]# less /etc/group
[root@sanchuang-linux ~]# useradd sanle11 -g sanchuang05 -G sanchuang06	# Specify primary and supplementary groups
[root@sanchuang-linux ~]# id sanle11
uid=2225(sanle11) gid=1043(sanchuang05) groups=1043(sanchuang05),1044(sanchuang06)
[root@sanchuang-linux ~]# less /etc/passwd					# Note: Stores user information
hello:x:1007:1007::/home/hello:/bin/bash
# Note: Field 2 is just a password placeholder; the actual password is stored in /etc/shadow
[root@sanchuang-linux ~]# ls -al /etc/passwd
-rw-r--r-- 1 root root 4539 Nov 12 09:50 /etc/passwd		# Note: Anyone can access /etc/passwd
[root@sanchuang-linux ~]# ls -al /etc/shadow
---------- 1 root root 4588 Nov 12 09:50 /etc/shadow		# Note: Permissions are all 0

[root@sanchuang-linux ~]# useradd sanle13 -c "create sanle13"	# Note: Specify user description
[root@sanchuang-linux ~]# less /etc/passwd
sanle13:x:2227:2227:create sanle13:/home/sanle13:/bin/bash	 # Note: Field 5 is user description

[root@sanchuang-linux tmp]# ls -ld /lianxi	# Note: Check which user and group the /lianxi directory belongs to
drwxr-xr-x. 9 root root 4096 Nov  9 09:47 /lianxi

# Ordinary users can only create files in their home directory or in the /tmp directory by default.

Set personal environment information
~/.bash_profile
~/.bashrc

[root@sanchuang-linux tmp]# id sanle11
uid=2225(sanle11) gid=1043(sanchuang05) groups=1043(sanchuang05),1044(sanchuang06)	# Note: Primary group sanchuang05
[root@sanchuang-linux tmp]# su - sanle11
[sanle11@sanchuang-linux ~]$ touch cc
[sanle11@sanchuang-linux ~]$ ls -al
total 16
……………………
-rw-r--r--   1 sanle11 sanchuang05    0 Nov 12 10:21 cc	# Note: Effective group sanchuang05
# Note: The effective group is the user's primary group
[sanle11@sanchuang-linux ~]$ newgrp sanchuang06			 # Note: Change effective group; temporary change
[sanle11@sanchuang-linux ~]$ touch dd
[sanle11@sanchuang-linux ~]$ ls -al
……………………
-rw-r--r--   1 sanle11 sanchuang06    0 Nov 12 10:23 dd	# Note: Effective group sanchuang06

2. Exercises#

2.1#

Question 1

Create three users sx1, sx2, sx3, all of whom belong to the sanle group as a supplementary group. Create a directory named /home/sanle, where the three users can collaborate on file processing. Properly modify the permissions of this directory to allow only the users and the group to access, delete, and create files in this directory, while other users have no permissions. The files created by the three users should only be deletable by themselves, and they should not be able to delete each other's files. Additionally, newly created files should automatically be assigned to the sanle group ownership.

Example
---------------------------------------------------------------------
# Create three users sx1, sx2, sx3, all of whom belong to the sanle group as a supplementary group. Create a directory named /home/sanle, where the three users can collaborate on file processing. Properly modify the permissions of this directory to allow only the users and the group to access, delete, and create files in this directory, while other users have no permissions. The files created by the three users should only be deletable by themselves, and they should not be able to delete each other's files. Additionally, newly created files should automatically be assigned to the sanle group ownership.
useradd -G sanle sx1
useradd -G sanle sx2
useradd -G sanle sx3
mkdir /home/sanle
newgrp sanle
mkdir /home/sanle
chmod 1770 /home/sanle -R
echo "newgrp sanle" >> ~/.bashrc

2.2#

Question 2 Script

---------------------------------------------------------------------

  1. Create users
  2. Delete specified users
  3. Modify specified users (user id, user group, user home directory)
  4. Delete specified users
Example 1
---------------------------------------------------------------------
#!/bin/bash
menu(){
    echo "1. Create user"
    echo "2. Delete specified user"
    echo "3. Modify specified user (user id, user group, user home directory)"
    echo "4. Delete specified user"
}

add(){
    read -p "Enter username:" username			  # Note: Receive input from the keyboard
    useradd $username &>/dev/null && echo "Creation successful" || echo "Creation failed"
}

del(){
    read -p "Enter username:" username
    userdel -r $username &>/dev/null && echo "Deletion successful" || echo "User does not exist"
}

modify(){
    read -p "Enter username:" username
    id $username &>/dev/null
    if [[ $? = 0 ]]
    then
        read -p "Enter uid:" uid				# Note: Can add 3 more cases for more details
        read -p "Enter gid:" gid
        read -p "Enter home directory:" home
        usermod -u $uid -g $gid -d $home $username 2>/dev/null && echo "Modification successful" || echo "Modification failed"
    else
        echo "User does not exist"
    fi
}

while :
do
    menu
    read -p "Please enter 1-4:" option
    case $option in
    1)
        add
        ;;
    2)
        del
        ;;
    3)
        modify
        ;;
    4)
        del
        ;;
    *)
        echo "Invalid input"
    esac
done

Example 2: Add multiple variables at once
---------------------------------------------------------------------------------------------------------------------------------
mod(){
	read -p "Enter (user id, user group, user home directory):" userid usergroup userhome username
    usermod -u $userid -g $usergroup -d $userhome $username &> /dev/null && echo "Modification successful" || echo "Modification failed"	
}

Example 3: Precise selection (recommended)
---------------------------------------------------------------------------------------------------------------------------------
#!/bin/bash

menu(){
    echo "1. Create user"
    echo "2. Delete specified user"
    echo "3. Modify specified user (user id, user group, user home directory)"
}
menu2(){
    echo "1. Modify user id"
    echo "2. Modify user group"
    echo "3. Modify user home directory"

}

add(){
    read -p "Enter username:" username
    id $username &>/dev/null && echo "User already exists" || useradd $username &>/dev/null && echo "Creation successful" || echo "Creation failed"
}

del(){
    read -p "Enter username:" username
    id $username &>/dev/null || echo "User does not exist" && userdel -r $username &>/dev/null && echo "Deletion successful" || echo "Deletion failed"
}

modify(){
    read -p "Enter username:" username
    if id $username &>/dev/null
    then
	menu2
	read -p "Please enter:" choice2
	case $choice2 in
	1)
	    read -p "Enter uid:" uid
	    usermod -u $uid $username &>/dev/null && echo "Modification successful" || echo "Modification failed"
	;;
	2)
	    read -p "Enter gid:" gid
	    usermod -g $gid &>/dev/null && echo "Modification successful" || echo "Modification failed"
	;;
	3)
	    read -p "Enter home directory:" home
	    usermod -d $home $username &>/dev/null && echo "Modification successful" || echo "Modification failed"
	;;
	*)
	echo "Invalid input"
	esac
    else
        echo "User does not exist"
    fi
}

while true
do
    menu
    read -p "Please enter (press q to exit):" choice
    case $choice in
    1)
        add
        ;;
    2)
        del
        ;;
    3)
        modify
        ;;
    q)
	break
	;;
    *)
        echo "Invalid input"
    esac
done

3. Using ACL#

ACL (Access Control List) # Note: Access Control List (specifies who can/cannot access)

  • An access control list for a file/directory can assign rwx permissions to any specified user/group.

Setting ACL: setfacl command

  • Format: setfacl options rules file

Common options

  • -m: Add or modify rules in the ACL
  • -b: Remove all ACL rules
  • -x: Remove specified ACL rules

Viewing ACL: getfacl command

  • Format: getfacl file

Setting ACL: setfacl command

  • Format: setfacl options rules file

Common rules

  • Format: type: specific user or group: permissions
  • user:(uid/name):(perms) Specify permissions for a specific user
  • group:(gid/name):(perms) Specify permissions for a specific group
  • other::(perms) Specify permissions for other users
  • mask::(perms) Set the effective maximum permissions

Note

  • user, group, other, mask are abbreviated as: u, g, o, m
  • perms use rwx

Note: ACL access control lists are common in work and cloud computing.#

Example 1: View file ACL
---------------------------------------------------------------------------------------------------------------------------------
# Note: Precise control over permissions
[root@localhost ~]# getfacl win-utf-2.txt 	# Note: View file ACL rules
# file: win-utf-2.txt						# Note: Get file ACL
# owner: root								# Note: Initial rules
# group: root
user::rw-
group::r--
other::r--
[root@localhost ~]# ls -la win-utf-2.txt 
-rw-r--r--. 1 root root 0 Oct 27 11:42 win-utf-2.txt
[root@localhost ~]# 
===============================================================================

Example 2: Grant read, write, and execute permissions to user sanchuang
# Note: For a specific user
---------------------------------------------------------------------------------------------------------------------------------
[root@localhost ~]# setfacl -m u:sanchuang:rwx win-utf-2.txt 	# Note: Grant rwx permissions to user sanchuang
[root@localhost ~]# getfacl win-utf-2.txt 				# Note: u can also be written as user, generally abbreviated
# file: win-utf-2.txt							# Note: Ordinary users do not have operation permissions on the /root directory
# owner: root
# group: root
user::rw-
user:sanchuang:rwx								# Note: Grant rwx permissions to user sanchuang
group::r--
mask::rwx
other::r--
[root@localhost ~]# ls -la win-utf-2.txt 		# Note: Permissions have a +
-rw-rwxr--+ 1 root root 0 Oct 27 11:42 win-utf-2.txt
===============================================================================

Example 3: Grant read, write, and execute permissions to a group
# Note: For a specific group
---------------------------------------------------------------------------------------------------------------------------------
[root@localhost ~]# setfacl -m g:sanchuang5:rw win-utf-2.txt 
[root@localhost ~]# ls -la win-utf-2.txt 		# Note: Set file ACL
-rw-rwxr--+ 1 root root 0 Oct 27 11:42 win-utf-2.txt
[root@localhost ~]# getfacl win-utf-2.txt 
# file: win-utf-2.txt
# owner: root
# group: root
user::rw-
user:sanchuang:rwx
group::r--
group:sanchuang5:rw-							# Note: Grant read, write, and execute permissions to the group
mask::rwx
other::r--
===============================================================================

Example 4: Set effective maximum permissions
# Note: Set effective permissions for mask
---------------------------------------------------------------------------------------------------------------------------------
# Note: Set effective maximum permissions to r
# Note: The permissions set are below the mask (ceiling)
[root@localhost ~]# setfacl -m m::r win-utf-2.txt		# Note: Set effective maximum permissions
[root@localhost ~]# getfacl win-utf-2.txt 
# file: win-utf-2.txt
# owner: root
# group: root
user::rw-
user:sanchuang:rwx		# effective:r--					# Note: Even if sanchuang has rw permissions, the effective maximum permission is r
group::r--
group:sanchuang5:rw-		# effective:r--
mask::r--
other::r--
# Note: After specifying the effective maximum permissions; even if user sanchuang has read and write permissions, user sanchuang5's maximum permission is only read
# Note: Even if user sanchuang has rw permissions, if the mask is set to r, only r permissions apply.

4. Types of ACL#

Types of ACL

  • Access ACL: For files or directories
  • Default ACL: Only for directories

Default ACL

  • Format: setfacl –m default:type:specific user or group:permissions
    setfacl –m d:type:specific user or group:permissions
  • A directory with a default ACL will have all files or subdirectories under it inherit the ACL permissions of the parent directory, and subdirectories will also have the default ACL permissions.

Note: Default ACLs can only be set for directories.#

Example: Set default ACL
---------------------------------------------------------------------------------------------------------------------------------
[root@sanchuang-linux lianxi]# mkdir cc_test
[root@sanchuang-linux lianxi]# getfacl cc_test/
# file: cc_test/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
[root@sanchuang-linux lianxi]# setfacl -m d:u:sanle10:rw cc_test/	 # Note: Set default ACL for files
[root@sanchuang-linux lianxi]# getfacl cc_test/
# file: cc_test/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx								# Note: New parameter
default:user:sanle10:rw-
default:group::r-x
default:mask::rwx
default:other::r-x
[root@sanchuang-linux lianxi]# cd cc_test/
[root@sanchuang-linux cc_test]# touch aa		# Note: Newly created files will inherit the default ACL settings
[root@sanchuang-linux cc_test]# getfacl aa
# file: aa
# owner: root
# group: root
user::rw-
user:sanle10:rw-								# Note: Newly created files will inherit the default ACL settings
group::r-x			# effective:r--
mask::rw-
other::r--
# Note: Files created before the default ACL is set will not inherit the default ACL settings.

5. Exercises#

  1. Create three groups: shuiguo, mifeng, shaokao.

  2. Create three users: pingguo belongs to the shuiguo group, jingshi belongs to the mifen group, yueyang belongs to the shaokao group.

  3. Create a directory named food under the root directory and copy the /etc/passwd file into the food directory.

  4. Set permissions so that the passwd file can be read and written by the shuiguo group, the jingshi user can read, write, and execute, and the yueyang user cannot perform any operations.

Example
---------------------------------------------------------------------------------------------------------------------------------
#1
[root@sanchuang-linux lianxi]# groupadd shuiguo
[root@sanchuang-linux lianxi]# groupadd mifen
[root@sanchuang-linux lianxi]# groupadd shaokao
#2
[root@sanchuang-linux lianxi]# useradd -g shuiguo pingguo
[root@sanchuang-linux lianxi]# useradd -g mifen jingshi
[root@sanchuang-linux lianxi]# useradd -g shaokao yueyang
#3
[root@sanchuang-linux lianxi]# mkdir /food
[root@sanchuang-linux lianxi]# cp /etc/passwd /food
[root@sanchuang-linux lianxi]# cd /food
#4
[root@sanchuang-linux food]# setfacl -m g:shuiguo:rw passwd 
[root@sanchuang-linux food]# setfacl -m u:jingshi:rwx passwd 
[root@sanchuang-linux food]# setfacl -m u:yueyang:--- passwd			# Note: No permissions
[root@sanchuang-linux food]# getfacl passwd 
# file: passwd
# owner: root
# group: root
user::rw-
user:jingshi:rwx
user:yueyang:---
group::r--
group:shuiguo:rw-
mask::rwx
other::r--

6. Inheritance and Denial of Permissions#

A user belonging to a group inherits the permissions of that group.

  1. Primary group
  2. Secondary group

The primary group (effective group) of a user belongs to a group and inherits the permissions of that group. If a supplementary group belongs to a group, it will also inherit.

  • newgrp

Denial of permissions takes precedence over everything ---》 for users.

If one group allows and another group denies ---》 allow.

7. sudo Authorization#

sudo Authorization

  • The root user has the highest permissions in Linux.

    Shutdown, restart the system, configure IP addresses, format disks, mount, etc.

  • Ordinary users have very limited permissions.

  • How to give ordinary users certain permissions?

    Share the burden with the root user.

  • If authorization is possible, is it given to users or groups?

Note: sudo grants certain ordinary users the ability to execute commands as the root user.#

Note: sudo --> grants ordinary users the ability to execute commands.#

Note: sudo configuration file /etc/sudoers#

# Note: There is a log file that records all commands executed by authorized users /var/log/secure

Note: The first ALL indicates permission for any terminal or machine to access sudo, generally indicating the local machine.#

Note: The second ALL indicates that the sudo command can be executed as any user.#

Note: The third ALL indicates that any command can be executed.#

Authorization logs: There is a log file that records all commands executed by authorized users /var/log/secure
View logs to know the execution status of authorized commands.
[root@cali ~]# tailf /var/log/secure

Example 1: Generate a random password
# Note: Tool to generate random passwords mkpasswd
https://www.cnblogs.com/shijunxian/archive/2020/05/26/12961543.html
---------------------------------------------------------------------------------------------------------------------------------
[root@sanchuang-linux food]# yum install expect -y
[root@sanchuang-linux bin]# mkpasswd -l 15 -d 3 -c 4 -C 4 -s 2
wjp4[HC]hx6mSO6
===============================================================================

Example 2: sudo configuration file /etc/sudoers
# Note: Authorize certain users to execute certain commands
# Note: Edit /etc/sudoers for authorization and verification
---------------------------------------------------------------------------------------------------------------------------------
[root@sanchuang-linux bin]# less /etc/sudoers
………………
## Syntax:
##
##      user    MACHINE=COMMANDS		………………
## Allow root to run any commands anywhere 
root    ALL=(ALL)       ALL					# Note: ALL indicates the current machine
# Note: 1. Allows the root user to execute this command; 2. ALL indicates the current host, (ALL) indicates which user permissions are allowed; 3. ALL indicates all commands (any user command can be executed on this machine).

# Note: The first ALL indicates permission for any terminal or machine to access sudo, generally indicating the local machine.
# Note: The second ALL indicates that the sudo command can be executed as any user.
# Note: The third ALL indicates that any command can be executed.
===============================================================================

Example 3: Edit the configuration file /etc/sudoers to grant permissions to users
# Note: You can use vim to edit the configuration file or use visudo without specifying a filename.
# Note: It is recommended to use visudo to edit /etc/sudoers as it checks syntax; vim does not check syntax.
# Note: For user sanle, all permissions on the local host.
---------------------------------------------------------------------------------------------------------------------------------
[root@sanchuang-linux bin]# visudo			# Note: Use visudo without specifying a filename
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
sanle   ALL=(ALL)       ALL					
# Note: Indicates that the sanle user can execute any command of any user on this host, but when using sudo, the sanle user's password is required.
# Note: Not setting NOPASSWD means that after entering the password for the first time, the password has a validity period.
[root@sanchuang-linux bin]# su - sanle		# Note: Switch to the sanle user
[sanle@sanchuang-linux ~]$ sudo passwd wy		# Note: With sudo, can perform any operation
We trust you have received the usual lecture from the local System Administrator. 
It boils down to these three things:
    #1) Respect the privacy of others.
    #2) Think before you type (consequences and risks).
    #3) With great power comes great responsibility.
[sudo] sanle's password:						# Note: Enter the sanle user's password
[root@sanchuang-linux bin]# visudo 
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
sanle   ALL=(ALL)       NOPASSWD:ALL	
# Note: Indicates that the sanle user can execute any command of any user on this host without entering the sanle user's password.
[sanle@sanchuang-linux ~]$ sudo passwd wy
Changing the password for user wy.
New password:									# Note: No need to verify the original password.
===============================================================================

Example 4: Grant permissions to users/groups
---------------------------------------------------------------------------------------------------------------------------------
[root@sanchuang-linux bin]# visudo 
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
sanle   ALL=(ALL)       NOPASSWD:ALL	
# Note: Indicates that the sanle user can execute any command of any user on this host without entering the sanle user's password.
%sanchuang5 ALL=(ALL)   NOPASSWD:ALL		
# Note: Indicates that users in the sanchuang5 group can execute any command of any user on this host without entering a password.

# Note: Granting all users in the sanchuang5 group permission to execute any command as any user.
# Note: All members of the group will also have this permission.
===============================================================================

Example 5: Authorize specific commands
---------------------------------------------------------------------------------------------------------------------------------
[sanle@sanchuang-linux ~]$ which chown
/usr/bin/chown
[sanle@sanchuang-linux ~]$ which passwd
/usr/bin/passwd
[root@sanchuang-linux cc_test]# visudo
root    ALL=(ALL)       ALL
sanle   ALL=(ALL)       NOPASSWD:ALL
%sanchuang5 ALL=(ALL)   NOPASSWD:ALL
wy      ALL=(ALL)       /usr/bin/chown,/usr/bin/passwd		# Note: Specify the absolute path of the commands.
# Note: Indicates that the wy user has permission to execute the chown and passwd commands on this host, with the command paths specified.
[wy@sanchuang-linux ~]$ sudo chmod 777 aa
We trust you have received the usual lecture from the local System Administrator. 
It boils down to these three things:
    #1) Respect the privacy of others.
    #2) Think before you type (consequences and risks).
    #3) With great power comes great responsibility.
[sudo] wy's password:											 # Note: After verifying the password, modifications can be made.
[wy@sanchuang-linux ~]$ sudo passwd wy2
Changing the password for user wy2.
New password:
===============================================================================

Example 6: Authorization logs in /var/log/secure
# Note: There is a log file that records all commands executed by authorized users /var/log/secure
---------------------------------------------------------------------------------------------------------------------------------
[root@sanchuang-linux cc_test]# cd /var/log/
[root@sanchuang-linux log]# less secure				
uid=0 tty=/dev/pts/2 ruser=wy rhost=  user=wy
Nov 12 16:43:26 sanchuang-linux sudo[2424]: pam_unix(sudo:auth): conversation failed
Nov 12 16:43:26 sanchuang-linux sudo[2424]: pam_unix(sudo:auth): auth could not identify password for [wy]
Nov 12 16:43:26 sanchuang-linux sudo[2424]: wy : command not allowed ; TTY=pts/2 ; PWD=/home/wy ; USER=root
 ; COMMAND=/bin/chmod 777 aa
===============================================================================

8. Exercises#

Install net-tools using yum.
Grant the bailongma user permissions for useradd, userdel, passwd.
Grant the baigujing user permissions for ip, ping, ifconfig, route.
Grant the yutujing user permissions for poweroff, reboot.

Example 1
---------------------------------------------------------------------------------------------------------------------------------
[wy@sanchuang-linux ~]$ which useradd				# Note: Find the absolute path of the command.
usr/sbin/useradd
………………………………
[wy@sanchuang-linux ~]# visudo
root    ALL=(ALL)       ALL
bailongma ALL=(ALL)     /usr/sbin/useradd,/usr/sbin/userdel,/usr/bin/passwd
baigujing ALL=(ALL)     /usr/sbin/ip,/usr/bin/ping,/usr/sbin/ifconfig,/usr/sbin/route
yutujing  ALL=(ALL)     /usr/sbin/poweroff,/usr/sbin/reboot
===============================================================================

Example 2: (ALL) can be omitted
---------------------------------------------------------------------------------------------------------------------------------
[wy@sanchuang-linux ~]# visudo
root    ALL=(ALL)       ALL
bailongma ALL=/usr/sbin/useradd,/usr/sbin/userdel,/usr/bin/passwd		# Note: (ALL) can be omitted.
baigujing ALL=/usr/sbin/ip,/usr/bin/ping,/usr/sbin/ifconfig,/usr/sbin/route
yutujing  ALL=/usr/sbin/poweroff,/usr/sbin/reboot
===============================================================================

Example 3: Define aliases
--------------------------------------------------------------------------------------------
[wy@sanchuang-linux ~]# visudo
# Define command aliases
Cmnd_Alias  NETWORK = /usr/sbin/ip,/usr/bin/ping,/usr/sbin/ifconfig,/usr/sbin/route
Cmnd_Alias  SHUT = /usr/sbin/poweroff,/usr/sbin/reboot
Cmnd_Alias  USER = /usr/sbin/useradd,/usr/sbin/userdel,/usr/bin/passwd

bailongma ALL=USER,NETWORK
baigujing ALL=NETWORK
yutujing  ALL=SHUT
------------------------------------------------------------------------
[baigujing@sanchuang-linux ~]$ sudo ip a add 192.168.0.144/24 dev ens33  # Note: Add an IP address to the network card.
[sudo] baigujing's password:								# Note: Using the ip command with permissions.
[baigujing@sanchuang-linux ~]$ ip add
………………
    inet 192.168.0.26/24 brd 192.168.0.255 scope global dynamic noprefixroute ens33
    inet 192.168.0.144/24 scope global secondary ens33
………………
------------------------------------------------------------------------
# Note: Adding an IP address to the network card (one network card can have multiple IP addresses).
[wy@sanchuang-linux ~]$ ip a add 192.168.0.144/24 dev ens33

9. Introduction to SELinux#

  • What is SELinux? What is its use?

  • How to check if SELinux is enabled?

    getenforce

  • How to disable and enable SELinux?

    Temporarily
    setenforce
    Permanently
    Modify configuration files
    vim /etc/selinux/config
    vim /etc/sysconfig/selinux
    Restart the system.

  • Is SELinux widely used in enterprises?

.---------------------------------------------------------------------------------------------------------------------------------------------------------------------

What is SELinux?
- SELinux is a security subsystem in Linux systems designed to enhance the overall security level of Linux. It is a type of access control system that restricts processes to only access the files they need for their tasks (controlling which processes can access which allowed resources).

- There are two types of access control in operating systems: Discretionary Access Control (DAC) and Mandatory Access Control (MAC).

- Standard Linux security is a form of DAC, while SELinux adds a flexible and configurable MAC to Linux.

- DAC (Discretionary Access Control)

- How it works:

- MAC (Mandatory Access Control) ---》 selinux

- How it works:

- Which processes can access which types of files are governed by security policies.

Permanent modification
# Note: This is a link file /etc/sysconfig/selinux -> /etc/selinux/config
[root@cali log]# vim /etc/sysconfig/selinux
SELINUX=disabled

Temporary configuration
Temporary configuration will be invalid after reboot.
0--》Permissive mode
1--》Enforcing mode 
[root@cali selinux]# setenforce 0  
[root@cali selinux]# getenforce  
Permissive
[root@cali selinux]#
[root@cali selinux]# setenforce 1  
[root@cali selinux]# getenforce  
Enforcing
[root@cali selinux]#

- Process control: Controls which processes can access which files, as it classifies processes and files, establishing policies that dictate which types of processes can operate on which types of files.

- Services cannot access exceptions --》 cannot access through the network.
- 1. Consider whether the iptables firewall is enabled.
- 2. Consider whether the SELinux security mechanism is enabled.

- iptables is the outer layer of the security policy firewall.
- SELinux is the internal security policy mechanism firewall in Linux.

Blog link: https://blog.csdn.net/yanjun821126/article/details/80828908

SELinux
is a security-related subsystem integrated into the kernel, making the system more secure.
Supported in kernel version 2.6 and above.

# Note: Check kernel version uname -r
[root@sanchuang-linux bin]# uname -r
4.18.0-193.el8.x86_64

Security-Enhanced Linux (SELinux) is a Linux kernel module and a security subsystem of Linux.

The role of SELinux
The main role of SELinux is to minimize the resources that service processes can access in the system (principle of least privilege).

DAC:
In operating systems without SELinux, the factor determining whether a resource can be accessed is whether a user has the corresponding permissions (read, write, execute) for that resource.
This permission management mechanism is user-centric and is called Discretionary Access Control (DAC).

MAC:
In operating systems with SELinux, determining whether a resource can be accessed involves not only the above factors but also whether each type of process has access permissions for a certain type of resource.
This permission management mechanism is process-centric and is called Mandatory Access Control (MAC).

By default, SELinux is in a disabled state (disable) and service access is generally restricted by SELinux settings.

Example: Temporary modification
--------------------------------------------------------------------------------------------
# Note: Temporary modification will be invalid after reboot.
# Note: Temporary configuration will be invalid after reboot.
# Note: 0  --》Permissive mode
# Note: 1  --》Enforcing mode
[root@sanchuang-linux ~]# getenforce 			# Note: Get the current SELinux mode.
Disabled
[root@sanchuang-linux ~]# setenforce 0			# Note: 0 for permissive mode		Temporary effect.
setenforce: SELinux is disabled
[root@sanchuang-linux ~]# setenforce 1			# Note: 1 for enforcing mode (must adhere to SELinux rules).
setenforce: SELinux is disabled
# Note: 0|1  Permissive|Enforcing  Permissive mode|Enforcing mode

=============================================================================================
Example: Permanent effect by modifying configuration files
# Note: Configuration file: /etc/selinux/config
[root@sanchuang-linux ~]# vim /etc/selinux/config
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled		# Note: Specify the working mode.
# Note: After modification, it takes effect after restarting the computer.
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.